GDPR AI Vendor Assessment Checklist: 10 Questions Before Signing a DPA
GDPR AI Vendor Assessment: Key Points
Before using any AI tool that processes personal data, German companies must verify GDPR compliance. This 10-question checklist covers everything to check before signing a Data Processing Agreement.
- A Data Processing Agreement (DPA/AVV) is legally required under Article 28 GDPR
- Third-country data transfers require Standard Contractual Clauses (SCCs) or an equivalent mechanism
- AI model training on your data must be explicitly prohibited in the DPA
- German companies face additional requirements under BDSG and BetrVG
Before using any AI tool to process personal data, German companies must complete a GDPR vendor assessment. Here is the checklist Compound Law uses when reviewing AI tool DPAs — drawn from our analysis of more than 55 AI tools used by businesses in Germany and the DACH region.
Under Article 28 of the General Data Protection Regulation, every company that shares personal data with a software vendor acting as a data processor must put a compliant Data Processing Agreement (DPA) in place before processing begins. This is not optional. Without it, your company is in breach of GDPR from day one.
This guide gives you the 10 questions to ask — and what the right answers look like.
Why GDPR Vendor Assessment Matters
When you deploy an AI tool that handles personal data — customer names, employee records, email content, uploaded documents — you become a data controller and the vendor becomes a data processor. Article 28 GDPR governs this relationship in full.
The legal stakes are significant:
- Fines of up to €10 million or 2% of global annual turnover for Article 28 violations (GDPR Article 83(4))
- Supervisory authority investigations triggered by a single data subject complaint
- Data subjects’ right to compensation under Article 82 GDPR if their data was misused
- Joint liability exposure if the vendor suffers a breach without an adequate DPA in place
Germany’s data protection authorities — the BfDI (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) and state-level Datenschutzbeauftragten — have consistently enforced Article 28 requirements. Several companies in Bavaria and Berlin have received formal warnings for deploying AI tools without completing vendor due diligence first.
The 10-Question GDPR AI Vendor Checklist
Use this checklist before signing any DPA with an AI vendor. Each question comes with guidance on what an acceptable answer looks like.
1. Does the vendor offer a Data Processing Agreement (DPA/AVV)?
A vendor that processes personal data on your behalf must offer a DPA. If a vendor refuses to sign one or does not have one available, do not proceed. A DPA is a legal requirement under Article 28 GDPR — not a negotiating position.
What to look for: A DPA that references Article 28 GDPR specifically, lists all processing activities, names sub-processors, and includes an annex describing technical and organisational measures.
Claude Enterprise offers a comprehensive DPA covering enterprise customers. Notion AI includes AVV provisions within its enterprise agreements. Our full AI tool DPA reviews document how each vendor approaches this requirement.
2. What is the vendor’s role — processor, controller, or joint controller?
Not every AI vendor is a pure processor. Some vendors also use your data for their own purposes — analytics, model improvement, product development — which would make them a controller or joint controller. This changes the legal basis required and your liability exposure significantly.
What to look for: DPA language that explicitly prohibits the vendor from using your data for any purpose beyond providing the contracted service to you. If the DPA is silent on secondary uses, treat it as a red flag.
3. Where is data stored and processed? (EU vs. third countries)
Data stored or processed outside the EU/EEA triggers additional obligations under GDPR Chapter V on international data transfers. The United States remains a third country for GDPR purposes, even if the vendor has EU entities or EU data centres.
What to look for: EU-based data residency as the default option, or clearly documented transfer mechanisms for any third-country processing. A vendor who cannot confirm data residency in the EU should be treated with caution.
Cursor and ElevenLabs are examples where data residency required careful review — see our full assessments for the detail.
4. What SCCs or transfer mechanism covers international transfers?
If data is processed in a third country, the vendor must have a valid transfer mechanism in place. The main options under GDPR are:
- Standard Contractual Clauses (SCCs) — the most common mechanism, updated by the European Commission in 2021
- Adequacy decision — covering countries such as the UK, Switzerland, Japan, and, under the EU–US Data Privacy Framework, the United States
- Binding Corporate Rules — for large multinational corporate groups
What to look for: Reference to the 2021 EU SCCs (Commission Implementing Decision 2021/914) within the DPA or its annexes. Any vendor still citing the pre-2021 SCCs is operating on an outdated legal basis.
5. Does the vendor train AI models on your data?
This is the single most critical question for AI tools. Many vendors reserve the right to use customer data to train or improve their models — a practice that is incompatible with GDPR unless your company has a specific legal basis for permitting it (which, under a processor DPA, is extremely unlikely).
What to look for: Explicit, unambiguous language stating that the vendor does not use customer data for AI model training, fine-tuning, or product improvement. If the DPA is silent on this point, ask directly and insist on written confirmation before signing.
This was among the most significant variables in our review of 55+ AI tools. Some vendors address this clearly at the enterprise tier; others require specific contractual addenda to opt out of training.
6. What is the data retention period and deletion process?
Under Article 5(1)(e) GDPR (the storage limitation principle), personal data must not be retained longer than necessary for the stated purpose. The DPA must specify precisely how long the vendor retains your data and the process for deletion when the contract ends.
What to look for:
- Specific retention periods for each category of data processed
- Confirmation of deletion within a defined timeframe (typically 30–90 days) after contract termination
- An option to request deletion at any time during the contract period
- Written confirmation of deletion upon request
7. Who are the sub-processors and how are they approved?
Every AI vendor uses sub-processors — cloud infrastructure providers, analytics platforms, content delivery networks, support tooling. Under Article 28(4) GDPR, the vendor must impose equivalent GDPR obligations on each sub-processor, and you have the right to know who they are.
What to look for:
- A published, up-to-date list of all sub-processors
- A contractual mechanism for notifying you in advance of sub-processor changes (30 days’ notice is standard)
- A right to object to new sub-processors before they are engaged
8. What technical and organisational measures (TOMs) are documented?
Article 32 GDPR requires processors to implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk. The DPA must either contain or reference the specific TOMs applied.
What to look for:
- Encryption at rest and in transit
- Access controls, role-based permissions, and authentication requirements
- Incident response procedures and breach notification timelines (within 72 hours to you as controller, per Article 33 GDPR)
- Third-party security certifications such as ISO 27001 or SOC 2 Type II
9. Does the vendor support DPIA requirements?
A Data Protection Impact Assessment (DPIA) is mandatory under Article 35 GDPR for processing likely to result in high risk to data subjects. AI tools involving large-scale processing of sensitive data, automated decision-making with significant effects, or systematic monitoring of individuals are likely to trigger this requirement.
What to look for: The vendor should be able to supply documentation to support your DPIA: processing activity descriptions, risk measures, sub-processor lists, and their own risk assessments. Some vendors provide DPIA templates or pre-completed questionnaires.
10. Is the tool subject to EU AI Act high-risk classification?
The EU AI Act entered force on 1 August 2024, with obligations for high-risk AI systems under Annex III applying fully from August 2026. High-risk categories include AI systems used in employment and worker management, access to essential services, education, and biometric identification.
What to look for: The vendor should be able to confirm whether their system falls within any Annex III category. If it does, additional documentation — including a conformity assessment and registration in the EU AI database — will be required before deployment.
How We Applied This Checklist
Compound Law has reviewed the DPAs and terms of more than 55 AI tools used by businesses in Germany and the DACH region. See all AI tool GDPR assessments →
Each review applies this 10-question framework to answer the questions procurement and legal teams actually need: Is a DPA available? Where is data stored? Does the vendor train models on customer data? What SCCs are in place? Is a DPIA needed?
The result is a consistent, comparable library of factual DPA summaries — covering tools from Notion AI to ElevenLabs and Cursor — so procurement decisions are grounded in verified legal facts, not vendor marketing.
Special Considerations for German Companies
Beyond the baseline GDPR requirements, German companies face additional legal obligations when deploying AI tools that are worth understanding before you sign.
BDSG (Bundesdatenschutzgesetz)
Germany’s Federal Data Protection Act (BDSG) supplements GDPR with additional national requirements. Section 26 BDSG governs the processing of employee data and imposes stricter consent requirements and purpose limitations for AI tools used in HR contexts. Any AI tool used to analyse employee productivity, screen job applications, or monitor work patterns falls squarely within its scope.
BetrVG (Betriebsverfassungsgesetz)
If your company has a works council (Betriebsrat), AI tools that monitor employee behaviour, assess performance, or influence working conditions require co-determination rights (Mitbestimmung) under § 87 BetrVG. This applies to AI scheduling tools, productivity monitoring software, and automated performance management systems.
Practical implication: Before deploying any AI tool that affects employees, engage your HR department and works council early. A missing Betriebsvereinbarung (works agreement) can invalidate an AI tool deployment and expose the company to liability under labour law — independently of any GDPR violation.
Documented compliance
German supervisory authorities expect documented evidence of vendor assessments — not just a DPA on file. Maintaining a Verarbeitungsverzeichnis (Record of Processing Activities) under Article 30 GDPR that includes each AI vendor, the legal basis, and the DPA reference is both a legal requirement and a practical safeguard in the event of an investigation.
For guidance on what a compliant DPA must contain and how to negotiate one, see our complete guide to Data Processing Agreements under GDPR.
Frequently Asked Questions
What is a Data Processing Agreement under GDPR?
A Data Processing Agreement (DPA) — known in Germany as Auftragsverarbeitungsvertrag (AVV) — is a legally required contract under Article 28 GDPR. It must be in place whenever a company (the controller) shares personal data with a vendor that processes it on its behalf (the processor). The DPA must specify the subject matter, duration, nature, and purpose of the processing, the type of data and categories of data subjects involved, and the obligations and rights of the controller. For a detailed overview of legal requirements, see our guide to DPAs under GDPR.
When is a GDPR vendor assessment required?
A GDPR ai tool gdpr checklist evaluation is required before you begin using any software tool that processes personal data on your behalf. This includes AI tools used for customer service, HR, marketing, legal work, or any other business function where personal data is involved. German companies must complete this assessment before signing or activating the service — not after deployment.
Does every AI tool need a DPA?
Any AI tool that processes personal data on behalf of your company requires a DPA under Article 28 GDPR. This covers tools used for email processing, document analysis, customer support automation, code generation with access to customer data, and HR analytics. Tools that process only genuinely anonymised data, or where your company is itself the data subject, may not require a DPA — but determining this requires a careful legal assessment of the specific processing involved.
What happens if I use an AI tool without a DPA?
Using an AI tool to process personal data without a valid DPA constitutes a breach of GDPR Article 28. German supervisory authorities — including the BfDI and the state-level data protection authorities — can impose administrative fines of up to €10 million or 2% of global annual turnover under Article 83(4) GDPR. In addition, affected data subjects may claim compensation under Article 82 GDPR, and any resulting data breach creates further regulatory and commercial exposure.
This article provides general legal information about GDPR compliance for AI tools. For advice on your specific situation — including reviewing or negotiating AI vendor DPAs — please seek individual legal counsel.
